exploit the possibilities

Conceptronic Grab'n'Go Network Storage Directory Traversal

Conceptronic Grab'n'Go Network Storage Directory Traversal
Posted Sep 3, 2012
Authored by Mattijs van Ommeren

Conceptronic Grab'n'Go Network Storage suffers from a directory traversal vulnerability.

tags | exploit
MD5 | f5a50ae659b22f10044c5bb97d678a8c

Conceptronic Grab'n'Go Network Storage Directory Traversal

Change Mirror Download
Security Advisory AA-003: Directory Traversal Vulnerability in Conceptronic Grab’n’Go Network Storage

Severity Rating: High
Discovery Date: July 29, 2012
Vendor Notification: July 30, 2012
Disclosure Date: September 3, 2012

Vulnerability Type=
Directory Traversal

Impact=
- System Access
- Exposure of sensitive information

Severity=
Alcyon rates the severity of this vulnerability as high due to the following properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required;
- Number of Internet connected devices found.

Products and firmware versions affected=
- Conceptronic CH3ENAS firmware versions up to and including 3.0.12
- Conceptronic CH3HNAS firmware versions up to and including 2.4.13
- Possibly other rebranded Mapower network storage products

Risk Assessment=
An attacker can read arbitrary files, including the files that stores the administrative password.
This means an attacer could:
- Steal sensitive data stored on the device;
- Leverage the device to drop and/or host malware;
- Abuse the device to send spam through the victim’s Internet connection;
- Use the device as a pivot point to access locally connected systems or launch attacks directed to other systems.

Vulnerability=
The CGI-script that is responsible for showing the device logs is affected by a directory traversal vulnerability that

allows an attacker to view arbitrary files.

Proof of Concept Exploit=

curl "http://<victimIP>/cgi-bin/log.cgi?syslog&../../etc/sysconfig/config/webmaster.conf&Conceptronic2009"

Risk Mitigation=
At the time of disclosure no updated firmware version was available.
We recommend that you limit access to the devices's web management UI by utilizing proper packet filtering and/or NAT

on your router in order to limit network access to your NAS. Although this will not completely eliminate the risk of

exploitation, it becomes substantially more difficult to leverage a successful attack, because it would involve either

a compromise of another host on the victim’s local network or a client side attack that overcomes the Same Origin

Policy restrictions of the victim’s web browser.

Vendor Response=
- 2L/Conceptronic has declared on August 1 that it is not in their power to influence the manufacturer's patching

process
- Mapower, the manufacturer of the affected products, has contacted us on August 28 for details on reproducing the

issue on a CH3HNAS
- Mapower has confirmed on August 29 that they succesfully have reproduced the PoC exploit on a CH3HNAS and that they

are working on a fix

Fixed Versions=
- There is currently no vendor patch available.

=Latest version of this advisory
http://www.alcyon.nl/advisories/aa-003/


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    19 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close